Skip to main content
Container image scanning is a critical step in supply-chain security. In this guide, you’ll learn about CVEs, CVSS ratings, and how to use Trivy to automatically detect and remediate known vulnerabilities in your container images.

What Is a CVE?

Common Vulnerabilities and Exposures (CVE) is the industry-standard database for public security flaws. Each vulnerability gets a unique identifier, helping you avoid duplicates and streamline research.
Visit the CVE Database to search for published vulnerabilities and track remediation status.
The image shows a webpage from the Common Vulnerabilities and Exposures (CVE) database, listing search results for various CVE records with their descriptions.
Typical CVE categories include:
  • Unauthorized access bypasses (e.g., confidential data exposure)
  • Denial-of-service or performance degradation bugs

Understanding CVSS Severity Ratings

The Common Vulnerability Scoring System (CVSS) provides both a numeric score (0–10) and a qualitative severity label. Use the table below to interpret scores:
SeverityCVSS Score Range
None0.0
Low0.1 – 3.9
Medium4.0 – 6.9
High7.0 – 8.9
Critical9.0 – 10.0
The image shows a color gradient bar representing CVE severity scores from 0 to 10, along with tables comparing CVSS v2.0 and v3.0 ratings and their corresponding base score ranges.

Example: CVE-2020-5911

CVE-2020-5911 affects the NGINX Ingress Controller installer on Debian/Ubuntu by downloading packages over HTTP instead of HTTPS. Its CVSS base score is 7.3 (High), indicating a serious risk.
The image shows details of a CVE (Common Vulnerabilities and Exposures) entry, specifically CVE-2020-5911, with a description of the vulnerability and a CVSS (Common Vulnerability Scoring System) base score of 7.3, indicating high severity.

Why Scan Container Images?

Containers often bundle multiple libraries and OS packages, each a potential vector for attacks. Automated scanners help you:
  • Identify and upgrade vulnerable packages
  • Apply patches or workarounds
  • Remove unused components to reduce risk
The image shows a "CVE Scanner" title with an illustration of a smartphone displaying gear icons, alongside a list of CVE (Common Vulnerabilities and Exposures) entries with descriptions.

Container Vulnerability Scanner: Trivy

Trivy by Aqua Security is a fast, user-friendly scanner that integrates easily into Docker workflows and CI/CD pipelines.

Installing Trivy on Debian/Ubuntu

sudo apt-get update
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" \
  | sudo tee /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy

Running a Basic Scan

trivy image nginx:1.18.0

2021-03-21T02:54:18.240Z    INFO    Detecting Debian vulnerabilities...
2021-03-21T02:54:18.295Z    INFO    Trivy skips scanning programming language libraries because no supported file was detected

nginx:1.18.0 (debian 10.8)
Total: 155 (UNKNOWN: 0, LOW: 110, MEDIUM: 9, HIGH: 33, CRITICAL: 3)

LIBRARY     VULNERABILITY ID  SEVERITY  INSTALLED VERSION    FIXED VERSION    TITLE
-------------------------------------------------------------------------------------------------------
apt         CVE-2011-3374     LOW       1.8.2.2                                Incorrect handling in apt-key
bash        CVE-2019-18276    MEDIUM    5.0-4                                  When effective UID != real UID
coreutils   CVE-2016-2781     MEDIUM    8.30-3                                 Session escape in chroot
curl        CVE-2020-8169     HIGH      7.64.0-4+deb10u1                       libcurl: partial password leak
...

Filtering and Advanced Options

# Only CRITICAL and HIGH
trivy image --severity CRITICAL,HIGH nginx:1.18.0

# Skip vulnerabilities without available fixes
trivy image --ignore-unfixed nginx:1.18.0

# Scan a saved tar archive
docker save nginx:1.18.0 > nginx.tar
trivy image --input nginx.tar
Using --ignore-unfixed can hide critical risks if no patch is available. Always review the full report before deployment.

Reduce Your Image’s Attack Surface

Smaller base images generally contain fewer vulnerabilities. Compare these scan results:
ImageTotal CVEs
nginx:1.18.0 (debian)155
nginx:1.18.0-alpine0
Always prefer minimal, official base images.
The image lists best practices for image scanning, including continuous rescanning, using Kubernetes Admission Controllers, maintaining a repository of pre-scanned images, and integrating scanning into the CI/CD pipeline.

Image Scanning Best Practices

  • Continuously re-scan images to catch newly disclosed CVEs
  • Enforce admission controls to block or quarantine unscanned or unsafe images
  • Maintain an internal registry of pre-scanned, approved images for rapid rollouts
  • Integrate scanning into CI/CD pipelines so that every build is audited at source

Watch Video